In June 2004, the Committee on Citizens' Freedoms and Rights, Justice and HomeAffairs of the European Parliament (the LIBE Committee) asked the JRC to carryout a study on the future impact of biometric technologies. The then Commissionerfor Research, Mr. Philippe Busquin, passed this request to IPTS forimplementation; IPTS had done previous work for the Parliament in this area ofpolicy support, and as the JRC’s prospective studies institute, it was well-placed toaddress the matter.In the event, IPTS proposed a prospective approach examining the way in whichbiometric technologies could influence everyday life. Descriptive scenarios takenfrom everyday life help with a general appreciation of the issues, and intellectualrigour has been assured through an analysis of the socio-economic, technological,legal and ethical aspects of the large-scale introduction of biometrics. LIBECommittee members had the opportunity of hearing from a number of experts onthese particular aspects at a preliminary meeting held in October 2004.The present report, entitled Biometrics at the Frontiers: Assessing the impact onSociety, represents the output of the study. Its title underlines the purpose of thestudy to address biometrics beyond the immediate application for border controlpurposes, to their wider adoption and use in society.The study highlights a number of key issues to be taken into account whenconsidering the large-scale implementation of biometric technologies. The overallmessage is that the introduction of biometrics poses a number of technologicalchallenges, but more than that, it affects ways in which we organise some keyaspects of everyday life. These challenges need to be addressed in the near future ifEurope is to shape the use of biometric technologies so as to derive maximumbenefit from their deployment.The work was carried out by IPTS ICT Unit staff in collaboration with externalexperts whose contributions have been acknowledged in the text. In addition,colleagues from other European Commission services and from the EuropeanParliament provided their own comments and ideas. The responsibility for thework remains of course entirely with the JRC.

We would also like to thank the following European Parliament and EuropeanCommission colleagues for whose comments we are grateful:Emilio De Capitani and Katrin Huber (EP),Pascal Millot, Marie-Helene Boulanger, Peter Hanel, Ralf Mossmann, MichelParys (EC DG JLS),Andrea Servida, Guenter Egon Schumacher, Antonis Galetsas (EC DG INFSO).Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 5 of 166Table of Contents

PREFACE.................................................................................................3Acknowledgements................................................................................4Table of Contents...................................................................................5Preamble..................................................................................................7EXECUTIVE SUMMARY..........................................................................9I. Purpose and Structure of the Report........................................................9II. The Report’s conclusions and recommendations...................................9III Content of the Report............................................................................11

INTRODUCTION....................................................................................21Objective....................................................................................................21International and European Agenda..........................................................21Report Structure........................................................................................23SCENARIOS ON BIOMETRICS IN 2015..................................................24

CHAPTER 4: BIOMETRICS in 2015 - A scenario exercise............1014.1 Introduction...................................................................................1014.2 Scenario on biometrics in everyday life........................................1024.3 Scenario on biometrics in business..............................................1054.4 Scenario on biometrics in health..................................................1074.5 Scenario on biometrics at the border...........................................1094.6 Concluding Remarks on scenario exercise..................................112

Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 7 of 166PreambleImagine that someone wishes to access their e-mail through a PC which is invitingthem to log on. The message on the screen reads Place your right-hand index fingeron the reader and hold for two seconds. The person does so and almost immediatelythe screen reads Welcome.Convenience and security combine to enable access to the service by authorisedusers and prevent non-authorised access. There is no need to remember passwords,no need to have a password policy and no risk of password loss. The result is areduction in error and fraud through stronger confidence in the authenticity ofofficial documents like passports and driving licences. The process is also a lotmore efficient because of its very simplicity. This, in a few words, is whatbiometric technologies are supposed to bring to the processes of identification andauthentication in the future.Biometrics are already firmly on the political agenda, and were so well before theevents of September 11. Modern economies require increasing levels of mobilityon the part of the workforce, and in an emerging networked Information Society,physical identity is increasingly being replaced or supplemented by its digitalequivalent. So quite apart from present-day security concerns, these underlyingtrends drive the need for more and better means of identification. Biometrictechnologies seem to offer a solution for stronger identification.Despite their usefulness however, implementing biometric technologies raisesseveral concerns. These emerge both from the exceptionally large scale ofdeployment and from the need to protect collected data from abuse.Whether because of a perceived need for increased security, or through a desire toprovide more confidence in the use of Information Society services, and inparticular public services, governments have taken the first steps in consideringdeployment of these technologies. In doing so they have laid themselves open tocriticism from some quarters regarding a possible erosion of civil liberties, andfrom others regarding a proliferation of different and uncoordinated systems ofidentification.It is our view that the implementation of biometric technologies by governments isboth inevitable and necessary, and that the criticisms, issues and challenges raisedmust be addressed as part of the implementation process. However, our researchhas led us to a much broader hypothesis: that initial ‘governmental’ applications forborder control and eGovernment services will give way in the future to a wider useof biometrics for commercial and civil applications. We have termed this ‘thediffusion effect’, arising from an increased acceptance of biometric identificationby citizens in their dealings with governments, and leading to a positive perceptionof its value and convenience for other purposes.Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 8 of 166

Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 9 of 166EXECUTIVE SUMMARYThis Summary is divided into three sections; the first explaining the purpose of thestudy and structure of the report; the second the main conclusions andrecommendations; and the third summarising the contents of the report. Anysummary is of necessity concise; readers are advised to consult the main body ofthe report for more detailed background and explanation on any given issue in thiscomplex field.I. Purpose and Structure of the ReportIn spring 2004, the LIBE1Committee of the European Parliament asked DG JRC tocarry out a prospective study on the impact of biometric technologies. The studykick-off meeting took place in Brussels the following July with a view to deliveringa final report early in 2005. The present report constitutes that deliverable.The prospective approach has led to one of the main messages of the study: thatbiometric-based identification will proliferate in society, extending from initialgovernment use to civil and commercial applications, and that this proliferation willhave a profound impact on society. We try to assess the long-term implications ofthis so-called ‘diffusion effect’ and suggest policy initiatives that might minimiseany negative impacts.The aim of this report is to examine some of the issues raised by the large-scaleimplementation of biometrics so as to help enhance the quality of informeddecision-making at the European level.In order to achieve this, four scenarios have been designed to depict a future societywhere biometrics are used in many different ways. The scenarios represent likelyapplications of biometric technologies rather than a prediction of possible outcomes.They aim to stimulate discussion and raise awareness about the emerging issues.The report also attempts to address the current lack of data and research byconsidering the social, legal, economic and technological challenges and analysingin depth four biometric technologies - face, fingerprint, iris and DNA. The reportconcludes by identifying a number of issues that policymakers need to address.II. The Report’s conclusions and recommendationsThe introduction of biometrics affects the way our society is evolving towards aknowledge society and poses a number of technological challenges. These need tobe addressed in the near future if policy is to shape the use of biometrics rather thanreact to it. A pro-active approach embracing a number of different policy areas –security, industrial policy, competitiveness and competition policy – is one fullyconsistent with the Lisbon goals, ensuring that Europe reaps the benefits ofgovernmental initiatives in this important area.

1Committee on Citizens’ Freedoms and Rights, Justice and Home AffairsBiometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 10 of 166The study has identified a number of issues that require further consideration andaction so that Europe can benefit from the large-scale deployment of biometrictechnologies. Two overriding conclusions provide the basis for the report’srecommendations:• The ‘diffusion effect’. The use of biometrics can deliver improvedconvenience and value to individuals. It is expected that once the publicbecomes accustomed to using biometrics at the borders, their use incommercial applications will follow. The diffusion effect is likely to requirethe addition of specific provisions on biometrics to the existing legalframework. New legislation will be needed when new applications becomewidespread and necessary fallback procedures are defined.• There is a need to recognise the limitations of biometrics. The mainreason for introducing biometric systems is to increase overall security.However, biometric identification is not perfect - it is never 100% certain, itis vulnerable to errors and it can be ‘spoofed’. Decision-makers need tounderstand the level of security guaranteed through the use of biometricsystems and the difference that can exist between the perception and thereality of the sense of security provided. The biometric system is only onepart of an overall identification or authentication process, and the other partsof that process will play an equal role in determining its effectiveness.Recommendations

The above conclusions lead to the following recommendations:1. The purpose of each biometric application should be clearly defined. Theuse of biometrics may implicitly challenge the existing trust model betweencitizen and state since it reduces the scope for privacy and anonymity ofcitizens. Clarity of purpose is needed to avoid ‘function creep’ and falseexpectations about what biometrics can achieve. Such clarity is particularlyneeded to ensure user acceptance.2. The use of biometrics to enhance privacy. Biometrics raise fears related toprivacy, best expressed by the term “surveillance society”, but they also havethe potential to enhance privacy as they allow authentication withoutnecessarily revealing a person’s identity. In addition, by using multiplebiometric features it is possible to maintain related personal informationsegregated and thus limit the erosion of privacy through the linkage ofseparate sets of data. The more policy measures are able to encourage the useof biometrics to enhance privacy, the more biometrics will be acceptable tothe public at large.3. The emergence of a vibrant European biometrics industry. Thelarge-scale introduction of biometric passports in Europe provides MemberStates with a unique opportunity to ensure that these have a positive impact,and that they enable the creation a vibrant European industry sector. Twoconditions would appear to be necessary for this to happen. Firstly, theBiometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 11 of 166creation of a demand market based on wide user acceptance, by clearlysetting out the purpose and providing appropriate safeguards for privacy anddata protection. Secondly, the fostering of a competitive supply market forbiometrics. This is unlikely to emerge by itself and will need kick-starting bygovernments – in their role as launch customers, not as regulators.4. Fallback procedures.

Since biometric systems are neither completelyaccurate nor accessible to all, fallback procedures will be needed. In the caseof physical access systems (e.g. border control) skilled human operators needto be available to deal with people that are rightly or wrongly rejected.Whatever the application, whether in the private or public domain, thefallback procedures should be balanced – neither less secure, nor stigmatised.People with unreadable fingerprints, for example, have the same need fordignity and security as everyone else.5. Areas for Future research. The study has revealed several areas wherefurther data and research is needed. These include:– Research and Technological development. Biometric technologiesprovide a strong mechanism for authentication of identity. Biometricscannot be lost or stolen, although they can be copied, and they cannot berevoked. However, the technology is still under development. Technicalinteroperability and a lack of widely accepted standards, as well asperformance and integrity of biometric data are major challenges thatneed to be addressed.– Multimodal biometric systems. Multimodal systems are those whichcombine more than one biometric identifier. For example, it is currentlyplanned to use face and fingerprints in EU border control systems.Research initiatives have been launched on the application of multimodalbiometrics in mobile communications (e.g. mobile telephones and otherdevices). However researchers need more test data to work with andthere is still much work to be done.– Large-scale field trials. So far, empirical data on the real-timelarge-scale implementation of biometric identification involving aheterogeneous population is limited. Field trials will have to beconducted to fill this gap. Such trials could also provide realisticcost-benefit data. Moreover, there is a need to exchange best practice andto harmonise Member State initiatives. The European Commission’sDirectorate General for Information Society and Media has taken someinitiatives in this regard.III Content of the Report1. Some Basic DefinitionsA biometric indicator is any human physical or biological feature that can bemeasured and used for the purpose of automated or semi-automated identification.Such features can be categorised as physiological (e.g. height, weight, face, iris orBiometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 12 of 166retina.) or behavioural (e.g. voice, signature or keystroke sequence). Somebiometric features are persistent over time while others change. All biometricfeatures are deemed ‘unique’ but some are less ‘distinct’ than others and thus lessuseful for automated identification purposes. The distinctiveness of any biometricfeature depends also on the effectiveness of the sampling technique used to measureit, as well as the efficiency of the matching process used to declare a ‘match’between two samples.Biometric identification is a technique that uses biometric features to identifyhuman beings. Biometrics are used to strongly link a stored identity to the physicalperson this represents. Since a person’s biometric features are a part of his or herbody, they will always be with that person where ever he/she goes and available toprove his or her identity. Biometric technologies may be used in three ways: (a) toverify that people are who they claim to be, (b) to discover the identity of unknownpeople, and (c) to screen people against a watch-list.Biometric identification works in four stages: enrolment, storage, acquisition andmatching. Features extracted during enrolment and acquisition stages are oftentransformed (through a non-reversible process) into templates in an effort tofacilitate the storage and matching processes. Templates contain less data than theoriginal sample, are usually manufacturer-dependent and are therefore notgenerally interoperable with those of other manufacturers. Templates or fullsamples thus acquired may then be held in storage that is either centralised (e.g. in adatabase) or decentralised (e.g. on a smart card). As a consequence of the statisticalnature of the acquisition and matching stages, biometric systems are never 100%accurate. There are two kinds of possible errors: a false match, and a falsenon-match. These errors vary from one biometric technology to another and dependon the threshold used to determine a ‘match’. This threshold is set by the operatorsdepending on the application.The report uses seven widely-accepted criteria to assess biometric technologies:universality, distinctiveness, permanence, collectability, performance,acceptability and resistance to circumvention. The degree to which each biometrictechnology fulfils a given criterion varies. It is only useful however, to compare thetechnologies based on the criteria once a specific application and a concreteidentification purpose have been set. For example a convenience application (e.g.controlling access to food in the student cafeteria) may tolerate a significant errorrate while a high-security application (such as controlling access to a nuclear site)would require minimal error rates.There are currently few biometric applications that have millions of enrolledindividuals and thousands of deployed devices. Those that do exist are typically inlaw enforcement and in certain civil areas. Physical access control (access to a site)is another area that has been developed and logical access (in particular onlineidentity) is forecast to be a fast-growing use of biometrics in the future. Moreimportantly, the integration of biometrics into passports and visas will be the firsttruly large-scale deployment in the European Union. It still remains to be seenwhether biometric applications will be deployed where individuals voluntarilyparticipate because they find the application beneficial and convenient.Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 13 of 1662. Biometrics IssuesAt present, many applications of biometric technologies exist both in the privateand public sector. Some of these are considered large-scale, for example the FBIfingerprint database in the US or the Malaysian multi purpose smart card. But so farno application comes close in scale to the proposed scheme for passports and visas.The widespread implementation of biometric applications in the public sector andtheir potential proliferation in the private sector will pose a series of challengeswhich policy-makers need to address. The report examines the social, economic,legal and technological implications of biometric technologies, and includes a shortbut important analysis of the medical implications. In each of these analyses, theissues of security, privacy, interoperability with other systems and costs areexamined.SecurityBiometric systems are more secure than traditional identification systems. But theyonly represent a secure identification process in that they provide a strong linkbetween physical persons with their identity data. This means that the integrity ofthe linking process must be high. This will depend on the secure operation of eachone of the four stages of a biometric identification process (enrolment, storage,acquisition, matching). In addition it cannot rely on secrecy, since most biometricfeatures are either self-evident or easily obtainable. On the other hand, sincebiometrics are only a part of the system, it is not enough to secure the biometricsystem if the rest of the process remains open to circumvention. In the end, thenotion of a biometric identifier being absolute proof of identity has to be discarded.Biometric identification systems are subject to errors and circumvention and thusare not perfect. It is important for whoever uses biometric identification systems tounderstand this principle.PrivacyWhile the use of a biometric technology is not an invasion of privacy, in many casesthe way the digital data is produced, stored, compared and possibly linked to otherinformation about the individual, may raise a set of concerns. Although these areconcerns the existing legal framework for Data protection can handle thewidespread diffusion of biometrics into the commercial sphere may challenge thelegal framework in ways that will have a negative impact on user acceptability. Forexample should the habit of sharing biometric data among private sector entitiesproliferate, then it is likely that users may find that the current data protection frameis unable to protect them adequately and thus become disenchanted withconvenience application altogether. Moreover, one would have to consider ethicalconsequence of large scale deployment. One could argue that the use of a part ofoneself (the biometric feature that is being digitised, stored and compared) as one’sidentity is eliminating the space that we traditionally place between our physicalselves and our identity. Currently, any individual has the option of changingidentity if the need arises (e.g. witness protection programme). This becomesharder or even impossible when identity is tied up with the physical self.Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 14 of 166InteroperabilityFor any emerging technology, interoperability across geographical borders andbusiness sectors, across processes, devices and systems is beneficial to its diffusion.National interests in maintaining control and vendor resistance (aspiring to futuremarket dominance due to lock-in effects) are natural barriers to interoperability.There is significant work being done at national and international levels to developstandards, which will be useful in promoting open systems development andinteroperability. Technical interoperability is likely to be achieved in the near futurebut interoperability of processes may be more challenging especially whenbiometrics become more widely diffused in society.When systems become more interoperable, the need for building safeguards againstabuse grows as well. Moreover, since individuals have many different biometrics attheir disposal, there is the possibility for different applications to make use ofdifferent biometrics, in the sense that limited interoperability may create barriersand thus protect against abuse. Such systems may still be compatible at the datatransmission level and thus it may still be possible to cross-check information as towho was identified and where.CostsCosts vary between technologies and also between low-end and high-endequipment within any one technology. It is the purpose and scale of an applicationthat determine costs. Thus costs will depend on the choice of open- orclosed-system architecture, type of application, centralised or decentralised storage,whether encryption is used as a means of data protection, and the decision of wherein the system matching takes place. Moreover, enhanced market competition ormarket distortions will also impact on costs, as will regulatory decisions oninteroperability, standards and intellectual property rights. In addition, it must benoted that real costs include overall system security (at all biometric stages) as wellas those of the fall-back system which is an indispensable element of any properbiometric application.Social aspectsBiometric technologies are just a tool, but their social implications may befar-reaching. Europe faces the challenge of better understanding the longer-termimplications of large-scale deployment of biometrics so as to ensure their beneficialimplementation. The following four themes have been identified as the main socialissues:1. Clarity of purpose in relation to biometric applications. “Function creep”is an important concern, i.e. that technology and processes introduced for onepurpose will be extended to other purposes which were not discussed oragreed upon at the time of their implementation. Thus it is important to beBiometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 15 of 166clear about what the needs of the application are and how biometrics will beable to achieve them.2. Interoperability and equivalence of performance and process. This is notonly a technical issue. Process equivalence (for instance backup proceduresthat are the same everywhere) is extremely important as it impacts on systemperformance, especially where biometrics are used in international situations(e.g. border control).3. Human factors, usability and social exclusion. Human factors such as age,ethnicity, gender, diseases or disabilities (including natural ageing) ought to bestudied on a case-by-case basis so as to minimise the possibility of socialexclusion of a small but significant part of the population. More research isalso needed on the usability and the user-friendliness of biometrics in real-lifesituations.4. Impact upon the trust model between citizen and state. People maytemporarily accept a loss of some of their personal freedom in exchange for amore secure world. But when government control is perceived as excessive,disproportionate and/or ‘too efficient’ this may lead to an erosion of trustwhich will be in the interest of neither governments nor citizens.Economic aspectsBiometric technologies are strong identification technologies and as such influencethe level of ‘trust’ in economic transactions. In other words they can help reducefraud and thus help materialise the efficiency and equity gains of the InformationSociety. They help simplify things from the user’s perspective and minimise thelikelihood of error. At the same time their widespread deployment in the publicsector will make identification over the network easier, more secure and may bringdown costs per secure transaction. This in turn will help consumers make moreefficient transactions. Standards and interoperability issues, however, determinewidespread adoption and shape economic challenges. The following five themessummarise the economic implications of biometrics:1. The concept of optimal identity. The economic importance of identity isgrowing in a digital society, but the strongest identity protection is notnecessarily the optimal one. This important point is explored in depth in thereport.2. Negative implications of stronger identification. Identity errors and abusemay become less frequent, but when they happen, they could potentially bemore dangerous. For example identity theft may become less frequent butmore severe and with wider social repercussions.3. Interoperability is vital for market operation. There is a serious danger thatthe biometrics identification market – and markets that depend on identity –Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 16 of 166may fragment into clusters that will not interoperate, thus becomingvulnerable to monopolisation or dominance by a few players.4. Biometrics-related IPRs threaten open competition. The unregulatedexploitation of intellectual property rights to aspects of biometrics cansignificantly reduce competition in biometrics and/or distort development,direction and speed of uptake.5. Public sector uptake will shape the market. The use of biometrics ineGovernment initiatives and associated large-scale public procurement couldbe key levers to ensure open and competitive markets, and rapid andsocially-productive innovation.Legal aspectsUp to now biometric technologies have been operating in various closedenvironments; by contrast, their use in private transactions will be based on consent.The existing legal framework does not hinder public and private actors fromimplementing applications. The deployment of biometrics does not threatenprocedural rights (i.e. rights in a court of law); their use is deemed intrusive butwithin reasonable limits and a few unresolved issues arising from the dataprotection framework have not hindered recent choices for biometrics in Europeanpassports. However, their widespread implementation and the fear of a‘surveillance’ society that may follow from the so-called ‘diffusion effect’ may callfor a rethink of the legal tools available. The following four themes are brieflydescribed so as to enable a better understanding of the legal implications ofbiometrics:1. Enabling legal environment. The existing legal environment (privacy anddata protection) is flexible in that it is an ‘enabling’ legislation legitimising thede facto commercial use of personal data. Data protection rules regulate theuse of biometrics but they lack normative content and raise no ethical debate.2. Opacity/transparency rules required. Data protection (transparency rules)does not specify what the limits of use and abuse of biometrics are. Opacity(privacy) rules may prohibit use in cases where there is the need to guaranteeagainst outside steering or disproportionate power balances.3. Wider implementation raises fundamental concerns. As biometrics arediffused in society some concerns are gaining in importance: concerns aboutpower accumulation, about further use of existing data, about specific threatsrelated to the use of biometrics by the public sector, about the failure to protectindividuals from their inclination to trade their own privacy with what seemsto be very low cost convenience.4. Use of biometrics in law enforcement. It is imperative that biometricsevidence be regulated when presented as evidence in courts of Law so as toprotect suspects adequately (e.g. being heard, right to counter-expertise).Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 17 of 166Technological aspectsBiometric technologies are still largely undergoing development and are not yetmature enough for widespread use in society. Enrolment is the first and mostimportant stage of any biometric application since the overall efficiency, accuracyand usability of a system depends on this stage. Re-enrolment during the life-cycleof an application is not only necessary because of natural and accidental changes tobiometric features, but also to ensure that the acquisition of the sample patterns isperformed using state-of-the-art sensor technology. However, not enoughlarge-scale trials exist to help draw conclusions on enrolment procedures.Biometric sample or template storage and their protection are also very importantissues. Storing can be done in centralised databases or on portable media such assmart cards or tokens. The report examines the following four technologicalconcerns:1. Performance/Accuracy. There will always be a compromise between thelevel of accuracy that can be obtained from a biometric system and the level ofperformance obtained in operating a live system with a threshold based onoperator- or application-defined constraints.2. Biometric Privacy. Biometrics could be used in the future to enhance privacyby using a biometric feature to encode a security key, for example a PIN codewhich allows access to a bank account. There are many advantages to this useof biometrics – primarily that keys thus produced are not linked to the originalpatterns, are not stored and can be revoked at will.3. Interoperability. Technical interoperability and the availability of widelyaccepted standards and specifications are issues that are currently beingresearched. They are particularly important in border-control applications, inwhich different countries are inevitably involved but that will also be the casein the future with worldwide consumer applications (e.g. bank ATMs).4. Multimodality. Combining several modalities, e.g. fingerprint and iris, insequence results in the improvement of a system’s overall efficiency, whilecombining them in parallel improves a system’s flexibility by providingalternative modes for the verification/identification process. The choice ofwhich modalities to combine is driven by the specific application design. Thiscombination may be performed at different stages of the process, resulting invarious benefits. Multimodality could also be viewed as a securityenhancement, for example by having the system request alternative modalitiesto be tested at random in an effort to keep potential impostors at bay.Medical aspectsDirect medical implications include potential risks to human health from the use ofbiometrics as well as public concerns related to possible hazards. Indirectimplications relate to the ethical risk of biometric data being used to reveal privateBiometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 18 of 166medical information. The former are more a matter of public perception while thelatter are more difficult to deal with. Developing this further:1. Direct Medical Implications. Interaction with a biometric sensor holdstwo potential health risks. If the system uses a contact sensor there is a risk(real or perceived) of the sensor being contaminated. The real risk may beminimal, especially when compared to similar everyday actions (touchingdoorknobs, railings) but the perceived risk may have a negative impact onpublic acceptance. Regular cleaning (e.g. through periodic irradiation withUV light) can minimise concerns and improve sensor performance. Thesecond risk relates to technologies that use radiation to assist acquisition(e.g. retinal scanning which use infrared light). There is a fear that thisradiation could be damaging to the eyes. Retinal scanning could causethermal injury on the back of the eye, but it is a biometric technique that isnot currently in use. Data from iris recognition equipment manufacturersshow no evidence that iris systems could pose a risk. It would be reasonablehowever to validate this claim in independent laboratories.2. Indirect Medical Implications. These are more controversial as they referto fears about the possibility of biometric data revealing sensitive healthinformation, leading to ethical concerns. Iridologists allege that the irisexposes potential health problems, but these claims are scientificallyunfounded and thus the only risk may be one of public fear. Retinalscanning could have serious implications as it may enable detection of asubject’s vascular dysfunction. There are also concerns that in the future,face recognition may be used to detect expressions and thus emotionalconditions. The ethical debate gets extremely heated when the use of DNAis considered, although the regions of DNA necessary for identification are‘non-coding’ (i.e. to the best of current knowledge, these regions do nothold genetic information so do not code for any genes).3. Overview of selected biometric technologiesIt is also worth looking at selected individual technologies in-depth so as tounderstand the challenges specific to each. Details of the four selected technologiesare presented below, followed by a brief comparison.1. Face recognition is used every day by humans for identification purposes. It isconsidered less intrusive than all other technologies and has thus a higher levelof user acceptance. But for machine identification it poses more of atechnological challenge, currently having lower accuracy rates than the otherprincipal modalities. Face recognition is characterised by its theoreticalpotential to operate at a distance, with or without user cooperation. This couldlead to systems that recognise an individual passively, improving conveniencebut also raising privacy fears. Face recognition also holds the risk that thebiometric identifier may be “stolen” without a person’s knowledge as peoplenearly always have their faces on public display, thus it is critically importantto make systems which are practically impossible to spoof.Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 19 of 1662. Fingerprints are the oldest and probably best known biometric identifiersgiven their intensive use by law enforcement agencies. In the past,highly-skilled people were used for fingerprint recognition but now the wholeprocess can be reliably automated provided that all parameters are under strictcontrol. The extensive experience with fingerprint technology is likely to pavethe way for the inclusion of fingerprint readers in consumer electronic devices.The two main challenges to be addressed are (i) an estimated 5% of people arenot able to enrol and (ii) there is a lack of interoperability in an opencommercial context.3. Iris recognition technology is apparently mature enough to be usedcommercially in high-security applications in both identification andverification modes with excellent performance results. According tomanufacturers’ claims, so far there has never been a false non-match. Yet ithas a smaller share of the market than hand, face and fingerprint techniques. Itinvolves a non-contact, consensual enrolment process. However, it is said toproduce a sense of discomfort as users are not certain as to where to focuswhen providing a sample. Also, not everyone can enrol satisfactorily.4. DNA identification is based on techniques using a specific part of the‘non-coding’ DNA regions, i.e. regions of DNA that to the best of currentknowledge bear no genetic information. It is mainly used in forensiclaboratories as it does not allow a real-time identification. It is a highlyaccurate technique where exclusions are absolute and matches are expressedas a probability. DNA enrolment is always possible, but DNA identification isexpensive, time-consuming (several hours), and needs skilled humanintervention. It is also not possible to distinguish between identical twins(contrary to fingerprints or irises, for instance).Comparing the different modes. By comparing each biometric mode one mayreach simplified conclusions such as: fingerprint technologies perform well onmany aspects and this is the reason that they are chosen for most applications; facetechnology is still very weak technically in terms of performance and accuracy; irisrecognition performs exceptionally well but has a relatively higher failure-to-enrolrate and is less accepted; DNA technologies are not well accepted and need a lotmore time to produce a decision result, which explains why they are mostly used inforensics.4. Scenarios on future biometricsThe objective of the biometric scenarios presented in this report, is to broaden thescope of thinking on the future of biometrics and to raise key issues that might atpresent be overlooked. Four scenarios are depicted: biometrics at the borders, in thehealth sector, in business and in everyday life. They can be placed on a continuumranging from public-sector applications, to private applications with little or nogovernment involvement. Privacy, security, usability and user acceptance concernsdiffer according to the environment.Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 20 of 166Scenario 1. The everyday life scenario depicts a day in the life of a traditionalfamily, in the form of a diary entry by the teenage son. The scenariodraws attention to one basic fact about biometric technologies: thatthey can never be 100% secure. There is a trade-off betweenallowing impostors through the system (false accept) and denyingaccess or services to legitimate users (false reject); the choice ofthreshold will depend on the nature of the application.Scenario 2. The use of biometrics in business can be for various purposes:internal (e.g. for employees) and external (e.g. with clients, othercompanies). The scenario is presented as a memo to the seniormanagement of a large multinational supermarket chain which hasembraced the use of biometrics but is concerned that it is not reapingthe expected benefits (access control, auditing working hours, andcustomer loyalty). It shows that back-up/alternative procedures areimportant and that biometric access systems are only as secure astheir weakest link, which is, in this case as in most cases, human.The scenario describes how users concerned about their privacymay reject biometrics when there is little perceived added value forthem.Scenario 3. The health scenario presents an exchange of e-mails between twodoctors in different countries. Strong identification is essential in thehealth sector - retrieving medical histories, administering medicine,handing out prescriptions, and carrying out medical procedures, allrely on the correct identification of the individual. In addition thereis a strong need for privacy given the sensitive nature of medicaldata. These two requirements make the health sector a very likelyfield for the application of biometrics.Scenario 4. Biometrics at the borders is likely to occur within the shortesttimeframe as concrete plans for this application already exist. Byfocusing on three destinations and three family members, the use ofbiometrics is illustrated by different age groups in countries wheredifferent legal and regulatory regimes apply. The importance ofsecure enrolment is highlighted by following the family in theirquest for necessary visas.

Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 21 of 166INTRODUCTIONBiometric technologies can be used to identify people by pairing physiological orbehavioural features of a person with information which describes the subject’sidentity. It is almost impossible to lose or forget biometrics, since they are anintrinsic part of each person, and this is an advantage which they hold over keys,passwords or codes. These technologies, which include amongst others, face, voice,fingerprint, hand and iris recognition, are the basis of new strong identificationsystems.However, biometric technologies are still largely under development despite thefact that they have been used in various applications over the past 40 years. Inaddition, they form only part of an identification system. There are challenges forsuch systems, on the one hand emerging from the need to adequately protect themfrom abuse, and on the other as a result of their wide-scale implementation and theimpact that may have on society. There is currently a lack of data and researchrelating mainly to the non-technological challenges and more specifically to thelarge-scale introduction of biometric identifiers, including their use in visas,residence permits and passports.The purpose of this report is to address that lack of data and analysis, with the aimof enhancing the quality of informed decision-making at a European level. Awide-ranging prospective study has been carried out which will try to address theimpact of biometric technologies and applications on people’s everyday life and thepotential policy issues, in a comprehensive manner. It is not the purpose of thisreport to argue for or against biometrics. It is equally not the purpose of the report toaddress the requirements of the international or European political agenda, whichare briefly described below. Rather, at the end of the report, the reader should haveenough knowledge about biometrics and their current, emerging or potentialconsequences to make an informed decision. This may support the introduction ofbiometrics that not only protect society but also advance it for the better whileallowing services to flourish.ObjectiveThe objective of this study is to increase the knowledge base on the large-scaleimplementation of biometrics so as to enhance the quality of informeddecision-making at the European level.

International and European AgendaAs a response to the September 11 terrorist attacks on the US, and clearly based onconcerns about threats to global security, the US Government strongly advocatedthe inclusion of Biometric Identifiers in travel documents (EUR 20823 EN, 2003).The current US security policy regarding biometrics is mainly based on twodecisions:Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 22 of 166• After the 30 September 2004, all foreigners (even those from the 27Countries listed in the visa waiver programme - VWP) will have to accept toprovide a high resolution digital picture of their face and their fingerprints;• U.S. law initially required citizens of VWP countries to have machine-readable biometric passports by October 26, 2004; Congress extended thedeadline for biometric requirements in VWP passports to October 26, 2005to allow more time to resolve technical issues.In May 2003 the ICAO (International Civil Aviation Organisation) published newstandards for MRTD (machine readable travel documents) in order to introducebiometric technologies. These standards are in line with the US initiative. The facehas been selected as the primary biometric, in the form of a high-resolutiondigitalised image which will be stored on a contactless chip, in order to facilitateglobal interoperability in border-control identification.The topic of biometrics is not a new one for the European institutions. A Councilregulation was adopted (December 2000) for the establishment of “EURODAC”which is a fingerprint database of asylum seekers and illegal immigrants. TheEuropean Council of Thessaloniki (June 2003) agreed to go ahead with biometricidentifiers in third country nationals’ visas and citizens’ passports. As aconsequence, of the Council conclusions it proposed to introduce biometric datainto travel documents in order to improve the accuracy of identification and maketravel documents more secure against counterfeiting.Regarding the European agenda, five proposals from the EU institutions constitutethe main European platform for the introduction of biometric identifiers:1. 24 September 2003:Proposal for a Council regulation amending (EC)1683/95(uniform format for VISA) and (EC)1030/02 (uniform format for residencepermits);2. 8 June 2004:Council decision (2004/512/EC) establishing the VISAInformation System (VIS);3. 13 December 2004: Council regulation (EC) 2252/2004 on standards forsecurity features and biometrics in passports and travel documents issued byMember States;4. 28 December 2004: Proposal for a Regulation of the European Parliament andof the Council concerning the Visa Information System (VIS) and theexchange of data between Member States on short stay-visas, COM(2004) 835final;5. 28 February 2005: Commission decision C(2005) 409 laying down thetechnical specifications on the standards for security features and biometrics inpassports and travel documents issued by Member States.

The European Parliament, which had previously rejected the Commission’sproposal (April, 19, 2004), passed the new proposal on December 2, 2004stipulating that biometric data should only be used for verifying the authenticity ofthe passport and should be handled only by competent authorities2.

Report StructureThis brief introduction continues by presenting four scenarios which exemplifybiometric use in the not so distant future. The main body of the text is thenstructured in five parts. Chapter 1 introduces the key concepts: what biometrics are,how they work, and for what purposes they can be used. It also briefly introducesfour issues which are prominent in the discussion on biometrics: security, privacy,interoperability and cost.Chapter 2 provides specificities of biometric technological systems and touchesupon the medical aspects of biometrics. Also, Chapter 2 briefly introduces fourmain biometric modalities: face, fingerprint, and DNA. The advantages anddisadvantages of using combinations of these biometric technologies are alsoexplored.Chapter 3 presents a detailed analysis of the social, legal, economic andtechnological aspect of biometrics. On social issues, the report notes that biometricstouch upon the trust model between citizen and state and that socio-demographicand cultural differences, psychological factors and usability are important.Economic aspects include the market side (growth of the sector main players), thedirect and indirect impact on the economy, as well as issues regarding intellectualproperty rights. From a legal point of view, biometrics are evaluated with regard tohuman rights, privacy and data protection legislation. Finally, from a technologicalpoint of view, the technological challenges for Europe are reported.Chapter 4 takes up the scenarios that are presented just below in the introduction. Itbriefly analyses the scenarios which aim at illustrating current and futurechallenges of the introduction of biometrics throughout society. The identifiedissues lead to conclusions and policy recommendations developed in Chapter 5.There are two annexes to this report. The first annex provides further informationon the four selected biometric technologies: face, fingerprint, iris and DNA. IN thesecond Annex the questions originally posed by the European Parliament’s LIBECommittee are presented and the areas of the report through which these have beenanswered are highlighted. A glossary and list of references can be found at the endof the report.

Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 24 of 166SCENARIOS ON BIOMETRICS IN 2015

OBJECTIVEScenarios are one of the main tools for looking at possible futures. Rather thanpredicting the future, they are used to stimulate discussions on identifying andunderstanding the key relevant issues when thinking about possible futures. Thebiometrics scenarios presented here give a vision of a future society (2015) wheredifferent biometrics are used for a wide range of purposes and applications. Theirgoal is to open up the scope of thinking on the future of biometrics. The use ofbiometrics is presented in four different environments: in Everyday Life, inBusiness, in Health and at the Border. The reader is also referred to Chapter 4 of thereport, which provides an analysis of these scenarios and summarises the mainconclusions that emerge.

SCENARIO 1: BIOMETRICS IN EVERYDAY LIFE

The diary of Constantin, a teenager born in the late 20th century

I got into a bit of trouble at school today. One of my friends, Ed, has been banned from thecafeteria because his parents haven’t paid the school fees on time. I think that’s unfair, so Ihelped him spoof the cafeteria entry system. It uses iris recognition which is very secure ifinstalled properly but the cafeteria uses cheap readers that are easy to fool. I just printed ahigh-resolution picture of my iris and Ed presented that to the system. Our trick has beenworking fine for the past few days, but yesterday it seems they realised my iris was beingscanned twice a day – I never thought the system checked for double entries! They sent meto the headmistress’s office who wasn’t happy. She called up Mum at work and asked her tocome over to the school. I wish Mum hadn’t been able to come because she made such afuss. If only the fingerprint scanner in the car’s ignition had broken down, it would havedelayed her from coming. My parents think that the fingerprint scanner is great because itlowers their insurance premium, but it’s a pain for me because I’ll never be able sneak outwith the car until they enrol me onto the system.In the meantime, granny had to go to the nursery to pick up my little brother because Mumwas at school with me. It’s a big nursery and they’re paranoid about strangers picking upthe wrong kids so they spent lots installing a multimodal biometric system a few years ago.Granny enrolled in the system right at the start but she’s never had to use it up until now. Itworks with face and voice recognition, and it’s supposed to unobtrusively scan andrecognise parents as they ring the doorbell and ask for their child. Well that’s not how itworked in granny’s case – the system didn’t recognise her so the door wouldn’t open. Allface recognition systems perform much worse if the stored template is old and I guess forgranny the situation was even worse because she’s aged a bit. The nursery wants to be tighton security so the system is set to a low number of false positives. But that means it getsmore false negatives and doesn’t recognise the people that it should.If it doesn’t work right away, what you’re supposed to do is stand very still in front of thecamera with a neutral expression for a few seconds, so that the face recognition system canget a good shot. Then you speak clearly to a microphone so that the voice recognitionsystem can do its job. Well granny says a queue of parents started building up behind herand she got very nervous which made her voice begin to falter. I can imagine her expressionwasn’t all that neutral either. The more flustered she got, the less likely the system was torecognise her. Eventually a member of the nursery staff came to the door and let her in.Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 25 of 166They checked her ID against their records and saw that she’s been authorised by my parents,so they let her collect my brother.It’s not as if granny doesn’t know how to use face recognition systems; her Over-65 bus passhas a facial template stored on the smart-chip. But the template on the bus pass is renewedevery year which makes a difference. Also, I suppose the bus pass system allows quite a highrate of false positives. It makes sense; after all people are more concerned about preventinga child being kidnapped than stopping someone getting a free bus ride.We got home to find dad sorting through his files on our virtual residence. Each person inthe family has their own storage space which only they can access. We used to usepasswords to gain access but Dad realised that I always knew what his password was(because he always had it written underneath the keyboard!) and he was worried about allthe work-related files he keeps on there so he changed the system. Now you have to scanyour iris to access the system – it’s the latest gadget around the house.Dad bought the newest type of reader and I can’t spoof it like the one at school. Not that I’mtoo bothered though – I’m not interested in what Mum and Dad store there anyway. Thefunny thing is that Dad’s the one with the most problems using the system because he’s soshort-sighted that the second he takes his glasses off, he can’t see where he’s supposed tofocus.I can hear my brother in his bedroom next door, playing around with his new teddy bear.My parents call it his “biometric bear” and they think it’s so high-tech, but it’s just a regularteddy bear that has a voice recognition system. When they bought the toy, Mum typed inmy brother’s name and registered his voice so when the teddy hears my brother speak, itreplies to him with his name. My brother loves that – now he wants all his toys to say hisname.Granny is downstairs in the kitchen preparing some dinner. It’s a good thing Dad was hereto turn the hobs on for her because she still hasn’t enrolled her hand in the cooker’sbiometric system – and it’s not likely she’ll do so today after her experiences at the nursery.At home she uses an old-fashioned cooker but Mum and Dad bought a cooker with a handgeometry reader for our house in order to avoid accidents with my little brother around thehouse. Granny says that she’s learned to use enough biometric systems and the cooker isjust one system too many. I keep telling her hand geometry readers are the easiest things touse but she won’t listen to me.Having said that, there are times when biometrics can be a real hassle. My friend Max hasjust bought the latest Tomb Raider game and I wanted to use it too. I borrowed it off him atschool today but it turns out that the program asks for the purchaser’s fingerprint in orderto start up. I’ve got a little kit which I bought online for spoofing fingerprints, but Maxneeds to come round here first so we can make a copy of his print. Instead this afternoonI’m stuck here writing in my diary.It’s not all bad though… at least no-one can read what I’ve written without my iris.Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 26 of 166SCENARIO 2: BIOMETRICS IN BUSINESS

M&G Superstores, Inc.Head Office

MEMO TO SENIOR MANAGEMENTIMPLEMENTATION OF BIOMETRIC TECHNOLOGIES

Recently Management has been concerned about the use of biometric technologieswithin the working environment of M&G Superstores as well as in the superstoresthemselves. It is important to remember, as announced when biometrics were firstintroduced at M&G Superstores, that such an identification system will only beeffective if all of its elements work together. In the words of our founding fatherMiles Graham, “There is a logic in technologic”.

Personnel entrance: The biometric access system which clocks hours worked wasintroduced to replace the outdated system of punch-cards. It is therefore importantthat all employees pass through the system otherwise the hours they work will notbe registered.

Lately there have been large queues at the hand recognition device at the Northentrance. Guards at the North entrance should be reminded that they are only thereto monitor employees using the biometric access system and they must not underany circumstances open the barriers to let employees bypass the biometric check.The procedure clearly states that if the system denies access to an employee, he/sheshould immediately leave the queue and go through the secondary access point,through the guards at the South entrance. Failure to comply leads to delays andinconvenience.

A case was reported last week of a nervous employee being rejected due to sweatypalms. Instead of accessing the South entrance however, she insisted on gainingaccess through the main gate. As she became increasingly anxious, her palmsbecame even more sweaty, and the queue got larger and more impatient. Had shenot been so persistent and accessed the secondary access point, the inconvenienceto other employees would have been avoided. Remember the words of MilesGraham: “Obey, don’t delay”.

Merchandise purchases: it is imperative that all Purchase Managers adopt andembrace the remote multimodal biometric transfer system which has recently beenimplemented. This system allows large amounts of money to be transferred securelyworldwide. All that is required is biometric enrolment at our local bank branch.Purchase managers are reminded that they must register multiple biometrics (all tenfingers, face and iris are recommended). At least one of these biometrics must bereserved for bank use alone; the fourth or fifth finger of either hand arerecommended for this purpose as these fingers are not demanded by other majorapplications. The speed and security of these transactions help reduce financial andBiometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 27 of 166storage costs, and ensure harmonious relations with our providers.

Biometrics at our stores: There was a great deal of initial enthusiasm at M&GSuperstores when the face-voice biometric application was introduced. Our “enroland win!” promotion was a huge success, and the numbers indicate a substantial risein customer traffic due to the novelty effect of biometrics. However, our CustomerServices department have since received a series of customers’ complaints:

• Profiling: customers seem concerned that we are monitoring when they cometo the store and what they purchase. Although this is something we used to doanyway with our customer loyalty cards, there seems to be resistance tobiometrics being used for this purpose. We are currently considering installinga pseudonymous biometric system, where the only information collectedregards the spending patterns of our customers and some general informationabout them – but not their identity.• Delays at entrance: customers seem irritated with the biometric system at theentrance, which causes delays. Although they have the option to by-pass thisentrance, they need to queue in order to benefit from the savings of our “checkin, check out” promotion.• Respecting disabilities: we at M&G Superstores have a comprehensiveaccessibility policy. However, some disabled people are discriminated againstbecause they cannot enrol in our biometric systems. Common sense andcustomer service should prevail, allowing for the disabled to enjoy the samebenefits as everyone else. In the words of Miles Graham: “Don’t forget orneglect – just respect”.• Given the positive results with the discotheque trial, senior staff are urged toset up collaborations with local companies (e.g. movie theatres, video rentalshops, etc.) to join our ‘only enrol once’ program. The details of this programwill be explained via the intranet training system, but it is imperative to havemany local companies participating. Sharing our biometric database equalssharing of investment costs while for consumers, the convenience of a singleenrolment needs to be highlighted.

While we should all be positive and enthusiastic about the business opportunitiesthat biometric technologies offer, the Management recognises the teethingproblems involved with large scale implementation of biometrics. Seniormanagement are asked to keep this in mind, to apply common sense wherenecessary, and remember we have invested in biometrics in order to gain acompetitive edge and survive in a competitive market. It is up to you to ensure wesucceed.

Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 28 of 166SCENARIO 3: BIOMETRICS IN HEALTH

Dr. Adele Mattsson, a paediatrician, and Dr. Vasily Nowak, a neurologist, used towork together at the same hospital until Dr. Nowak moved to a different countryabout a year ago. They now keep in contact via email.

Dear Vasily,There have been lots of changes at the hospital. We now have different biometricsystems implemented. The first one to be installed was the physical access system for themedical supplies storerooms. Rather than having to type in a code to unlock the door, wenow have a verification system that works with smart-cards and iris recognition. Thehospital issued off-the-shelf smart-cards to all authorised people, which store our iristemplate. To enter the storerooms, we have to bring our card near the sensor, positionourselves correctly in front of the system, focus on the iris reader, and then wait for thematching process to occur. Once our identity has been verified, we are allowed to enter.The system keeps a log of everyone who has accessed the storeroom and it makes use ofRFID tags3on the supplies to audit what has been taken. I’ll tell you something – there’sbeen a noticeable drop in the quantity of supplies we use up each month but also areluctance from staff to be the one to retrieve legitimate supplies. After the success of thisfirst system, hospital management looked into other applications for biometrics (withmuch encouragement from biometric suppliers). Some of them have worked very wellwhile others quickly proved to be impractical.Network access was one of the next areas to be tackled. You remember that ITstaff asked us to choose long passwords and to change them regularly, but that rarelyhappened. It didn’t help that we were asked to pick a different password for every system(patient records, financial records, appointment schedules). Now we have single sign-onaccess for all systems. We use our fingerprint as a password when accessing medicalrecords; our workstations and laptops now have fingerprint readers on the mouse. This ischecked against the central database, which stores our fingerprints and access rights.There was a long discussion about the choice of biometric; some people were wary aboutusing fingerprints, or any other biometric which requires a contact reader because of thehigh risk of cross-contamination. That was the reason after all that iris recognition waschosen for access to the storerooms. But good-quality iris scanners are expensive and wedidn’t have the funds to install one on every workstation. In the end a compromisesolution was reached. The fingerprint readers are irradiated periodically with UV light andthey are cleaned regularly. The latter improves reader accuracy and now that everybodyhas learned how to place their finger on the reader correctly, we have few usabilityproblems.Like I said, there were other ideas that were simply unworkable. Others wereimplemented in a rush without taking into account working practices or the obviouslogistical problems. For example in an effort to ensure that patients would always receivethe correct medicine, the nurses were armed with PDAs complete with mobile fingerprintscanners. The idea was that patients would enrol their biometrics upon entry to the

3Radio frequency identification (RFID) is a method of remotely storing and retrieving data usingdevices called RFID tags. Source: WikipediaBiometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 29 of 166hospital and then the nurse would check the patient’s biometric against the templatestored in the PDA, each time before administering a medicine, in order to confirm thepatient’s identity and the prescription. You can imagine the difficulties that arose.Sometimes patients had bandaged hands or damaged fingers and it wasn’t possible to get areading; other times the nurses didn’t need to check the fingerprint because they knew thepatient well, but the system required every patient’s biometric to be logged when receivingmedicine. The risk of cross-contamination with patients was so high, that nurses had to bevery careful to clean the reader thoroughly after each use. This added enormous timeoverheads to their work. Hospital management eventually decided to withdraw thefingerprint readers and replace them with a more practical system using RFID tags. Afterall biometrics aren’t always the right solution.I hope everything’s going well for you with your new medical practice. I’ve read alot about the implementation of national health cards over there and I was wonderingwhat your views are on the matter.Best wishes,Adele

Dear Adele,It’s good to hear from you and it sounds like the hospital is as busy as ever. How iseveryone coping with the new systems? I’ve seen examples like the ones you described.Results depend indeed on the application and the implementation.One use of an internal biometric that has caught on at many maternity wards hereis a DNA register that ensures new mothers take home their own baby, preventing mix-upsand babies being taken illegitimately. Mothers-to-be give a sample of DNA when theyenter the hospital, which is analysed and the template is stored. Soon after birth a DNAsample is also taken from the baby. The mother’s and baby’s templates are linked in thedatabase which is read-only, preventing anyone from tampering with the records. Ofcourse the samples are discarded once they have been used to generate a template, and thetemplates are only stored until the mother and the child leave the hospital.The health card is also an interesting application. Contrary to what some peoplethink there is no centralised database of medical records. Something like that may beimplemented in the future but for now the costs of securing the data, due to privacyconcerns were judged to be too high. In fact the national health card we have is little morethan an ID card with some medical information. The health card here though also storesthe image of a biometric on the smart-card which they say is to enable medical staff toauthenticate a patient’s identity with greater confidence, but I haven’t seen a use for thatyet because in practice nobody asks patients to undergo a biometric check. The full imagewas chosen over a template to avoid tying down all hospitals and medical practices to onetechnology supplier. Hopefully biometrics will soon be standardised at a European level; itwill then be possible to store the template alone whilst allowing for full interoperability,leaving more space for medical information.The main driver for these biometric cards was to cut down on identity fraud in thehealth sector and to limit healthcare to those who are entitled to it; having said that, thebenefits aren’t limited to the government or private insurance companies alone. Severalcases have been reported where the allergy or medication information on the card saved alife.An area where I see real potential for biometrics is home healthcare. Biometricscan offer much greater confidence in remote authentication processes than passwords orBiometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 30 of 166tokens. Ideally everyone would have a good-quality iris scanner or fingerprint readerattached to their own computer so that they could access their medical files from theprivacy of their own home, but I think we’re still a long way off from that.Please send my regards to everyone at the hospital.I hope to hear from you soon,Vasily

Dear Vasily,You asked how everyone here is coping with the new systems. I would say prettywell on the whole. In the beginning we had training courses to help people enrol theirbiometrics and show them how to use the biometric readers. Some were already familiarwith biometric technologies, having used them at airports or in other areas; others had tolearn, but did so quickly. In general when we can see the purpose and the usefulness of thenew technology, we are quick to accept it. Problems arise if the technology is introduced aspart of a badly thought out application.Of course there is also the issue of visibility and liability which concerns many ofus doctors. If a patient is in a critical condition, we sometimes carry out risky proceduresin order to save a life. If biometric identification is used to track our every action though,who can say whether doctors will risk personal liability in order to go the extra mile?On the subject of medical record databases, I too was very sceptical at firstbecause of well-known privacy risks. But there are ways of creating databases withoutsacrificing anonymity. Biometrics can be used as a tool to achieve this. The medical recordcan be stored with the person’s biometric as the key. It contains no personal identificationdata. In a database of millions, the only way of locating the correct record is to have thebiometric key and of course the only person who has that is the one to whom the recordcorresponds. Clearly there are technological challenges here, a very accurate biometrictechnology is needed to perform this kind of one-to-many search, there have to be back-upprocedures in case someone’s biometric changes, for any reason. All this exemplifies howbiometrics are not in themselves ‘good’ or ‘bad’ but a tool that can be put to good or baduse.

I have to go now but stay in touch.Take care,

AdeleBiometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 31 of 166SCENARIO 4: BIOMETRICS AT THE BORDER

John Braun is an EU citizen who regularly makes trips for business and leisure. Forhim, travel has always been a hassle, particularly the long queues and waiting timesat airport terminals. When biometric schemes for frequent travellers wereintroduced, quite a few years back, he was among the first to join. On his next trip,during the month of August, John will be travelling with his 78-year old fatherGerard and his 9-year old daughter Martine.

At the travel agent

First John goes to his travel agent.

"Good morning, I'm here to pick up three tickets booked in the name Braun."

"Certainly, just one moment...Here we are. Three tickets, two adults, one child, flying from Amsterdam to Dubai onJuly 27th.Leaving Dubai on August 2nd for Beijing.Finally departing Beijing August 16th, with a 4-day stopover in Bangkok, arrivingAmsterdam August 21st.That's quite a journey you've got ahead of you! Would you also like our help inarranging visas for your destinations?"

"Yes please."

"Well, for Dubai you don't need a visa. The UAE have a watchlist system using irisrecognition. They store the iris pattern of those who have been deported or bannedfrom the country for whatever reason and then they might ask you to pass an iris scanto check that you're not on their list. For Thailand and China you will need a visahowever. Thailand has chosen the iris as the biometric for its visa system."

"The iris... we don't have the iris on our passports. Does that mean we'll have to go to theembassy?

"Yes unfortunately it does. All passengers will have to go to the embassy to enrol inperson. But I'm assured that the process doesn't take too long."

"How about China? I've heard that they make all passengers do DNA tests."

"Well that's partly true. They ask visa applicants to provide a DNA sample which theywill analyse in order to obtain a DNA fingerprint. It doesn't take too long though againyou have to go to the embassy in person. They attach this "fingerprint" to your visa butthey don't check everyone's DNA as they pass the border. In fact only underexceptional circumstances will they ask you to undergo a DNA test while there. Theyuse it for foreigners who have broken the law, drug traffickers, smugglers and so on.Nothing that would apply to you and your family."

"But we still have to go to the embassy to provide a DNA sample."Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 32 of 166

"Yes I'm afraid that's standard procedure. I'll start the applications for you. When yougo to the embassy, you quote the reference number and all you will need to do is enrolyour iris/DNA as appropriate."

A month later, John, Gerard and Martine go to the Thai embassy.They present themselves at the visa office with the reference number from theirtravel agent. The official first has to check their passports to ensure that the correctpeople are enrolling their data. If the enrolment is fraudulent (i.e. a person enrolstheir biometric data, but it is linked to someone else’s identity) then the whole visaapplication is compromised. Having had their identities confirmed, John, Gerardand Martine wait in line to enrol their irises. This can be a cumbersome process as itmay take more than a few attempts. Martine has never used an iris scanner before sothe embassy employee has to help her through the process, telling her where andhow to focus her eyes.

At the Chinese embassy the process is similar, only this time rather than scanningtheir irises, they are given a swab of cotton and asked to wipe it against the inside oftheir cheek. The DNA analysis will take at least an hour so the family go for a quicklunch before returning to have the visa chip affixed to their passport.

At Schiphol, the trip starts."Daddy, why are we waiting?""We're waiting to get our passports checked dear""But why don't they check them when we go to Spain or France?""That's because those countries are inside something called the Schengen zone andinside that zone they don't have to check our passports.""But why do they have to check them now?""Because we're leaving the Schengen zone, they have to check to see if we are whowe say we are""But daddy why...""Just wait a while till we sit down on the plane Martine and I'll explain anything youwant."

On the flight, while John answers his daughter's endless questions, Gerard glancesover the in-flight electronic magazine.

In-Flight Electronic Magazine

SCHIPHOL PROUD TO ANNOUNCE NEW BIOMETRIC SAFETY MEASURES

On July 1st, Schiphol Airport announced new safety measures designed to make itscustomers feel even safer. Fingerprint readers have been installed in air trafficcontrol towers to ensure experienced staff are always present in the control tower.Schiphol spokesperson, Daphne Dorst said, "Biometrics are generally associatedwith identification for security purposes, but just as important is their ability to confirma person’s presence at a specific location. By incorporating the readers into thekeyboards used by controllers, we are able to monitor presence in the control towerand thus guarantee that our customers are always in the best possible hands."

Biometrics at the Frontiers: Assessing the impact on SocietyEC-DG JRC-IPTS Page 33 of 166UAE border controlWhen the family reach Dubai, they go through passport control which is a similarprocess to the one at Schiphol. The immigration officials choose who has to pass bythe iris scanner so that the authorities can check they do not appear on the watch-list.The Braun family can walk straight through, and are allowed to proceed to baggagecollection without scanning their irises.

“I’m sure that can’t be very secure,” Gerard comments to his son. “They didn’t scanour irises. How do they know we aren’t on the watch-list?”“They have a system called Advanced Passenger Information or API,” Johnexplains, “From the moment we booked our tickets, the airline forwarded ourinformation to the UAE immigration authorities. They’ve done background checkson all the passengers and they can identify in advance which ones they need toquestion. The officials use their own judgment to decide who to examine further."

After a week in Dubai, the Braun’s journey continues with a flight to Beijing.On the plane, John picks up the newspaper and an article catches his eye.

Seven hours later, the Brauns have arrived in Beijing.

"Daddy are they going to do DNA tests on all of us to check who we are?""No Martine, I think the process will be similar to what we went through at Dubai.""But then why did we have to go to the embassy to give a DNA sample?""We gave the sample so that if the authorities have any doubt about who we are,they have a way to test it. In that case they would ask us to wait at the airport forabout an hour while they analysed a sample of our DNA in order to match us to our